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•^ Abstract 

Complex Multiplication (CM) method is a frequently used method for the generation of 
prime order elliptic curves (ECs) over a prime field F p . The most demanding and complex step 
of this method is the computation of the roots of a special type of class polynomials, called 

f-H ■ Hilbert polynomials. These polynonials are uniquely determined by the CM discriminant D. 

The disadvantage of these polynomials is that they have huge coefficients and thus they need 
high precision arithmetic for their construction. Alternatively, Weber polynomials can be used 
in the CM method. These polynomials have much smaller coefficients and their roots can be 
easily transformed to the roots of the corresponding Hilbert polynomials. However, in the case 
of prime order elliptic curves, the degree of Weber polynomials is three times larger than the 
degree of the corresponding Hilbert polynomials and for this reason the calculation of their roots 
involves computations in the extension field F p 3. Recently, two other classes of polynomials, 
denoted by Mn,i{x) and Md, Pi , P2 {x) respectively, were introduced which can also be used 
in the generation of prime order elliptic curves. The advantage of these polynomials is that 
their degree is equal to the degree of the Hilbert polynomials and thus computations over the 
extension field can be avoided. 

In this paper, we propose the use of a new class of polynomials. We will call them Ramanujan 
polynomials named after Srinivasa Ramanujan who was the first to compute them for few values 
of D. We explicitly describe the algorithm for the construction of the new polynomials, show 
that their degree is equal to the degree of the corresponding Hilbert polynomials and give the 
necessary transformation of their roots (to the roots of the corresponding Hilbert polynomials). 
Moreover, we compare (theoretically and experimentally) the efficiency of using this new class 

^ against the use of the aforementioned Weber, Mjj t i(x) and Mo tPuPa (x) polynomials and show 

that they clearly outweigh all of them in the generation of prime order elliptic curves. 

Keywords: Prime Order Elliptic Curves, Complex Multiplication, Class Polynomials. 

1 Introduction 

The generation of cryptographically secure elliptic curves over prime fields is one of the most 
fundamental and complex problems in elliptic curve cryptography. An elliptic curve (EC) is cryp- 
tographically secure if its use in a cryptosystem guarantees robustness against all (currently) known 
attacks (e.g. [HI (27J ESI HO])- All these attacks can be avoided if the order of the EC possesses 
certain properties. An equally important alternative to cryptographic robustness (see e.g., |41j ) 
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requires that the order of the generated EC is a prime number. Moreover, in certain applications 
it is necessary that the order of the EC is prime [7j . 

The most commonly used methods for the generation of ECs over prime fields are the Complex 
Multiplication (CM) method [UEUES] and the point counting method [43J. In this paper we follow 
the first approach and study the use of the CM method for generating ECs of prime order in ¥ p . 
Briefly, the CM method takes as input the order p of the prime field and determines a parameter 
D called the CM discriminant and the order m of the EC. If the order m satisfies the desired 
properties (e.g. is a prime number) then a class polynomial is computed using the discriminant D 
and the parameters of the EC are constructed from a root modulo p of this polynomial. The most 
complex and demanding step of the CM method is the computation of the class polynomial. The 
original version of the method requires the construction of a Hilbert polynomial whose roots can 
be used directly for the construction of the EC parameters. The use of any other class polynomial 
necessitates the existence of a transformation that will convert the roots of this polynomial to 
the roots of the corresponding Hilbert polynomial. Class polynomials are constructed with input 
the discriminant D and by the term "corresponding polynomial" we mean the polynomial that is 
constructed with the same D. The disadvantage of Hilbert polynomials is that their coefficients 
grow very large as the value of discriminant increases and thus their construction requires high 
precision arithmetic and can be very inefficient even for moderate values of D. 

To overcome these shortcomings of Hilbert polynomials, two alternatives have been proposed 
for the case of prime order ECs: either to compute them off-line in powerful machines, and store 
them for subsequent use (see e.g., [2]), or to use alternative class polynomials for certain values of 
D (see e.g., [23J) and produce the required Hilbert roots from them. The first approach however 
requires storing and handling several Hilbert polynomials with huge coefficients and this can induce 
problems especially in devices with limited resources. These problems are addressed by the second 
approach. 

Weber or Md,i(x) polynomials were used in the literature for the generation of prime order 
elliptic curves [23]. Both types of polynomials have much smaller coefficients than the coefficients 
of the corresponding Hilbert polynomials and their use can considerably improve the efficiency of 
the whole CM method. More preciselly the logarithmic height of the coefficients of the Weber and 
Md,i(x) polynomials is smaller by a constant factor than the corresponding logarithmic height of 
the Hilbert polynomials. Weber polynomials can be computed faster than Mp i(x) polynomials 
|12j . However, finding their roots requires computations in the extension field F p 3 which makes the 
whole process more complicated. The reason is that in the case of prime order ECs the discriminant 
D must be congruent to 3 mod 8 and these values give rise to Weber polynomials with degree three 
times larger than the degree of the corresponding Hilbert polynomials. Thus, one must find a root 
of the Weber polynomial in the extension field F p 3 and then trasform it to a root of the Hilbert 
polynomial in ¥ p . The use of Mu t i(x) polynomials tackles this difficulty as their degree is equal 
to the degree of the Hilbert polynomials. Furthermore, the use of Weber polynomials requires the 
storage of three times more coefficients and the memory needed for this purpose can be larger than 
the corresponding memory required for the storage of the Mp i(x) polynomials. 

In |14j the construction of another class of polynomials was proposed. We will denote these 
polynomials as M£> )Pl)P2 (x) because their construction is based on two prime numbers p\ and 
p%. The degree of these polynomials is equal to the degree of the Hilbert polynomials and this 
is a considerable advantage against Weber polynomials. Compared to the Weber polynomials, 
Md, Pi , P2 (x) polynomials have larger coefficients for all values of p\ and p2, except for p\ = 3, p2 = 13 
and p\ = 5,p2 = 7. Moreover, the modular equations which are used for the transformation of a 
root of Mu, Pl , P2 ( x ) polynomials to a root of the corresponding Hilbert polynomials have degree at 
least 2 in the root of Hilbert polynomial (which makes the computations more "heavy" ) and their 



coefficients are quite large (which makes their use less efficient). 

In conclusion, the type of polynomial that one should use depends on the particular application 
and the value of D. It is clear that finding a class of polynomials which can be constructed 
more efficiently than all previously mentioned polynomials, have degree equal to the degree of the 
corresponding Hilbert polynomials and have a modular equation with degree 1 in the root of Hilbert 
polynomials, will considerably improve the performance of the CM method for the generation of 
prime order elliptic curves and will outweigh all previously used polynomials in every aspect (e.g. 
precision requirements, storage memory, time efficiency). 

Prime order ECs defined in various fields were also treated in [31 [8]. In the first, the authors 
used the CM method with Hilbert polynomials [3j for the generation of prime order ECs over 
extension fields, while in the second the authors proposed a very efficient variant of the CM 
method for the construction of prime order ECs over prime fields [8]. Furthermore, a number of 
works appeared that compare variants of the CM method and also present experimental results 
concerning the construction efficiency, such as the work of Miiller and Paulus [33], as well as the 
theses of Weng |48] and Baier [4] . 

Our contribution Srinivasa Ramanujan (1887-1920) defined on his third notebook, pages 392 
and 393 in the pagination of [371 vol. 2], the values of five class polynomials for five different 
values of the discriminant D. The simplicity and the small coefficients of these polynomials was 
remarkable. In 1999 Bruce C. Berndt and Heng Huat Chan [5] proved that if D is squarefree 
and D = 11 mod 24 then the roots of these five polynomials are real units and can generate the 
Hilbert class field. Moreover, they asked for an efficient way of computing these polynomials for 
every discriminant D (and not only for the five values computed by Ramanujan). In the rest of 
the paper, we will call them Ramanujan polynomials. 

Interpreting the theorem of Berndt and Chan (that the roots of the Ramanujan polynomials can 
generate the Hilbert class field for values D = 11 mod 24), we see that Ramanujan polynomials can 
be used in the CM method as the aforementioned theorem proves that there is a transformation of 
their roots to the roots of the corresponding Hilbert polynomials. In addition, as D = 11 mod 24 = 
3 mod 8, Ramanujan polynomials can be used in the generation of prime order ECs. 

The contribution of this paper is threefold. Firstly, we introduce for the first time the use of 
Ramanujan polynomials in the CM method by providing an efficient algorithm for their construc- 
tion for all values of the discriminant. The theory behind this construction is based on Shimura 
Reciprocity Law [171118] and all the mathematical proofs behind it are presented in [23]. However, 
in the context of this paper we present a considerably simplified version of the method described 
in [23] which can be equally used either by a mathematician or a practitioner with no background 
in algebraic number theory and algorithmic class field theory. 

Secondly, we observe that Ramanujan polynomials have the same degree with their corre- 
sponding Hilbert polynomials and hence have roots in F p . In addition, we provide the necessary 
transformation of a Ramanujan polynomial's root to a root of the corresponding Hilbert polyno- 
mial and thus give all the information that a practioner needs in order to use the new class of 
polynomials in the CM method. 

Finally, we perform a comparative theoretical and experimental study regarding the efficiency 
of the CM method using the aforementioned Weber, M£,^i{x) and Mu tPltP2 (x) polynomials against 
the new class of polynomials. We show that Ramanujan polynomials are by far the best choice 
when CM method is used for the generation of prime order elliptic curves because their degree 
is equal to the degree of the corresponding Hilbert polynomials and their construction is more 
efficient than the construction of all previously used polynomials. We show that the logarithmic 
height of the coefficients of the Ramanujan polynomials is asymptotically 36 times smaller than 



the logarithmic height of the Hilbert polynomials and this allows us to show that the precision 
requirements for the construction of Ramanujan polynomials can be from 22% to 66% smaller than 
the precision requirements of all other class polynomials. 

In literature the "efficiency" of a class invariant (a root of a class polynomial) is measured by 
the asymptotic ratio of the logarithmic height of a root of the Hilbert polynomial to a root of the 
class polynomial in question. The best known class invariant is the one used for the construction of 
Weber polynomials with D ^ (mod 3) and D = 3, 7 (mod 8). The roots of these Weber polyno- 
mials have logarithmic height that is asymptotically 72 times smaller than the logarithmic height 
of the roots of the corresponding Hilbert polynomials. However, in practice we are not interested 
in the logarithmic height of the roots but in the logarithmic height of the polynomials, since the 
latter measures the precision required for the construction of the polynomials. In this paper we will 
show that these two heights coincide only if the class polynomial has degree equal to the degree of 
the corresponding Hilbert polynomial. For the construction of prime order elliptic curves, Weber 
class polynomials have degree 3 times larger than the degree of the Hilbert polynomials. We will 
show that in this case the logarithmic height of the Weber polynomials is asymptotically 24=72/3 
times less than the logarithmic height of Hilbert polynomials and not 72. Thus, even though the 
height of Weber polynomials' roots is smaller than the height of the roots of Ramanujan's class 
polynomials, the precision requirements for the construction of the latter are smaller. 

Ramanujan polynomials can also be used in the generation of special curves, such as MNT 
curves |29[ [30l [34"] and in the generation of ECs that do not necessarily have prime order [H [25] . 
It is interesting to note here that in the latter case, as our experiments indicated, Ramanujan 
polynomials outweigh Weber polynomials for all values of the discriminant D ^ 7 mod 8. Moreover, 
problems such as primality testing/proving [lj and the representability of primes by quadratic 
forms |llj can be considerably improved with the use of Ramanujan polynomials. This makes our 
analysis for these polynomials even more useful. 

The rest of the paper is organized as follows. In Section [2] we review some basic definitions 
and facts about ECs and the CM method. In Section [3] we review properties of Hilbert, Weber, 
Mdj(x) and Mrj lPl , P2 (x) polynomials with D = 3 mod 8 and in Section [4] we elaborate on the 
construction of Ramanujan polynomials describing in an explicit way how they can be used in the 
CM method. In Section [5] we provide theoretical estimations for the precision requirements of all 
previously mentioned polynomials and in Section [6] we present our experimental results. 

2 A Brief Overview of Elliptic Curve Theory and Complex Mul- 
tiplication 

In this section we give a brief introduction to elliptic curve theory and to the Complex Multiplica- 
tion method for generating prime order elliptic curves. Our aim is to facilitate the reading of the 
sections that follow. 

2.1 Preliminaries of Elliptic Curve Theory 

An elliptic curve over a finite field F p , p a prime larger than 3, is denoted by E(¥ p ) and it is 
comprised of all the points (x, y) G F p (in affine coordinates) such that 

y 2 = x 3 + ax + b, (1) 

with a, 6 6 F p satisfying 4a 3 + 276 2 ^ 0. These points, together with a special point denoted by O 
(the point at infinity) and a properly defined addition operation form an Abelian group. This is 



the Elliptic Curve group and the point O is its zero element (see [2j [61 H5j for more details on this 
group). 

The order, denoted by m, is the number of points that belong in E(¥ p ). The difference between 
m and p is measured by the so-called Frobenius trace t = p+l — m for which Hasse's theorem (see 
e.g., [6]) states that \t\ < 2^/p, implying that p + 1 — 2^Jp < m < p+ 1 + 2^fp. This is an important 
inequality that provides lower and upper bounds on the number of points in an EC group. The 
order of an element P £ E(¥ p ) is defined as the smallest positive integer n such that nP = O. 
Langrange's theorem implies that the order of a point P £ E(¥ p ) divides the order m of the group 
E(¥p). Thus, mP = O for any P £ E{¥ p ) and, consequently, the order of a point is always less 
than or equal to the order of the elliptic curve. 

Among the most important quantities defined for an elliptic curve E(¥ p ) are the curve discrim- 
inant A and the j-invariant. These two quantities are given by the equations A = — 16(4a 3 + 27b 2 ) 
and j = — 1728(4a) 3 /A. Given a j-invariant jo € ¥ p (with jo ^ 0,1728) two ECs can be 
constructed. If k = jo/(1728 — jo) modp, one of these curves is given by Eq. ([1]) by setting 
a = 3k mod p and b = 2k mod p. The second curve (the twist of the first) is given by the equation 
y 2 = x 3 + ac 2 x + 6c 3 with c any quadratic non-residue of ¥ p . If mi and 7712 denote the orders of 
an elliptic curve and its twist respectively, then mi + mi = 2p-\-2 which implies that if one of the 
curves has order p+l — t, then its twist has order p + l + t, or vice versa (see [6j Lemma VIII.3]). 

2.2 The Complex Multiplication Method 

As stated in the previous section, given a j-invariant one may readily construct an EC. Finding a 
suitable j-invariant for a curve that has a given order m can be accomplished through the theory 
of Complex Multiplication (CM) of elliptic curves over the rationals. This method is called the CM 
method and in what follows we will give a brief account of it. 

By Hasse's theorem, Z = 4p — (p + 1 — m) 2 must be positive and, thus, there is a unique 
factorization Z = Dv 2 , with D a square free positive integer. Therefore 

Ap = u 2 + Dv 2 (2) 

for some integer u that satisfies the equation 

m = p + 1 ± u. (3) 

The negative parameter —D is called a CM discriminant for the prime p. For convenience through- 
out the paper, we will use (the positive integer) D to refer to the CM discriminant. The CM method 
uses D to determine a j-invariant. This j-invariant in turn, will lead to the construction of an EC 
of order p+1 — uoip + l + u. 

The CM method works as follows. Given a prime p, the smallest D is chosen for which there 
exists some integer u for which Eq. ([2]) holds. If neither of the possible orders p + 1 — u and 
p + 1 + u is suitable for our purposes, the process is repeated with a new D. If at least one of 
these orders is suitable, then the method proceeds with the construction of the Hilbert polynomial 
(uniquely defined by D) and the determination of its roots modulo p. Any root of the Hilbert 
polynomial can be used as a j-invariant. From this root the corresponding EC and its twist can 
be constructed as described in Section \2. II In order to find which one of the curves has the desired 
suitable order (m = p + 1 — uorm = p + l + u), Langrange's theorem can be used as follows: we 
repeatedly choose points P at random in each EC until a point is found in one of the curves for 
which mP 7^ O. This implies that the curve we seek is the other one. Recently, different methods 
have been proposed for choosing efficiently the correct elliptic curve in CM method 



The most demanding step of the CM method is the construction of the Hilbert polynomial, as 
it requires high precision floating point and complex arithmetic. As the value of the discriminant D 
increases, the coefficients of the polynomials grow extremely large and their computation becomes 
more inefficient. In [U [25], a variant of the CM method was proposed to avoid this problem. 
This variant starts with a discriminant D and a specific prime p chosen at random, or from a 
set of prescribed primes. It then computes u and v using Cornacchia's algorithm [lOj to solve 
Eq. ([2]), and requires that the resulting EC order m is suitable (cf. Section [27TJ) . Using this variant, 
the user can choose the value of the discriminant he wishes (and thus avoid very large values 
which was not possible in the original version of the CM method) or he can construct the Hilbert 
polynomials in a preprocessing phase and store them for later use. In this way, the burden of their 
costly computation can be avoided during the execution of the CM method. A similar variant was 
proposed in [51] for the construction of prime order ECs. 

We now turn to the generation of prime order ECs. If m should be a prime number, then it 
is obvious that u should be odd. It is also easy to show that D should be congruent to 3 mod 8 
and v should be odd, too. In this paper, we follow the variant of the CM method proposed in 
[U [55] for the construction of prime order elliptic curves. Thus, we start with a CM discriminant 
D = 3 mod 8 for the computation of the Hilbert polynomial, and then generate at random, or 
select from a pool of precomputed good primes (e.g., Mersenne primes), a prime p and compute 
odd integers u, v such that Ap = u 2 + Dv 2 . Those odd integers u, v can be computed with four 
different ways, which are outlined in [23]. Once we have found primes p and m which satisfy 
Eq. ([2]) and Eq. ([3]), we can proceed with the next steps, which are similar to those of the original 
CM method. 

If we could find a way to compute the roots of the Hilbert polynomials directly, it is clear that 
it wouldn't be necessary to construct the polynomials (since only their roots are needed in the CM 
method). Indeed, there are polynomials (known as class polynomials) |12[ 1131 l22j 142] with much 
smaller coefficients, which can be constructed much more efficiently than Hilbert polynomials and 
their roots can be transformed to the roots of the Hilbert polynomials. Thus, we can replace the 
Hilbert polynomials in the CM method with another class of polynomials given that their roots 
can be transformed to the roots of the Hilbert polynomials. In the following section we will briefly 
review the definition of these polynomials along with another class of polynomials defined in |14j 
(denoted as Md >Pi , P2 (x)) and show how they can be used in the CM method, while in Section d] 
we will propose the use of Ramanujan class polynomials. 

3 Class Polynomials 

In this section we define Hilbert, Weber, Mm(x) and Mo, Pl ,p 2 ( x ) polynomials for discriminant 
values D = 3 mod 8 and briefly discuss their use in the CM method. The interested reader is 
referred to [HI [23] for proofs and details not given here. 



3.1 Hilbert Polynomials 

Every CM discriminant D defines a unique Hilbert polynomial, denoted by Hd(x). Given a positive 
D, the Hilbert polynomial Hjj(x) £ 7L\x\ is defined as 

H D (x)=H(x-j(r)) (4) 

r 

for values of r satisfying r = (—(3 + \/—D)/2a, for all integers a, (3, and 7 such that (i) f3 2 — 4cr/ = 
—D, (ii) \(3\ < a < y/D/3, (iii) a < 7, (iv) gcd(a,/3, 7) = 1, and (v) if \/3\ = a or a = 7, 

6 



then j3 > 0. The 3-tuple of integers [a, /3, 7] that satisfies these conditions is called a primitive, 
reduced quadratic form of —D, with r being a root of the quadratic equation az 2 + j3z + 7 = 
0. Clearly, the set of primitive reduced quadratic forms of a given discriminant is finite. The 
quantity j(r) in Eq. (|4|) is called class invariant and is defined as follows. Let z = e 2lT ^~ lT and 
h( T ) = (ij^) 24 , where t/(t) = z 1 / 24 (l + £ n > x (-1)™ (>(3«-i)/2 + z n(3n+i)/2)\ is the Dedekind 

eta- function. Then, j(r) = - — ^P% — — . It can be shown [TT] that Hilbert polynomials with degree 
h have h roots modulo p when they are used in the CM method. 

3.2 Weber Polynomials 

The Weber polynomial Wd{x) £ TL\x\ for D = 3 mod 8 is defined as 

W D (x) = \\{x - g{l)) 

e 

where £ = ™- satisfies the equation ay 2 + 2by + c = for which b 2 — ac = —D and (i) 
gcd(a, 6, c) = 1, (ii) |26| < a < c, and (iii) if either a = \2b\ or a = c, then 6 > 0. Let C = e 77 ^/ 24 . 
The class invariant g{i) for W^(i) is defined by 
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^6( c -a-a 2 c) . j^) if 2 | fl and 2 | c 

-(-1)^ • (K^-a-2c) . ^ if 2 /a and 2 I c 

2 

-(-1) ^ • ^(c-a-5ac 2 ) . y^ if 2 | a and 2 /c 
if D = 3 mod 8 and D ^ mod 3, and 

1^36( C -a-a 2 c) . y3(£) if 2 | a anc [ 2 | C 
^(-I)^IT 11 ■ ^3fe(ac 2 -a-2c) . y3^) if 2 | a and 2 | C 
-i(-l) iii V ii • ^3fe(c-a-5ac 2 ) . y|(^ if 2 | a an d 2 /c 

if Z? = 3 mod 8 and D = mod 3. The functions /(), /i() and /2O are called Weber functions 
and are defined by (see [TJ [21] ) : 

00 00 

M = g- 1/48 II( 1 + ^ 1)/2 ) A(y) = ^ 1/48 II( 1 -^ 1)/2 ) 

r=l r=l 

00 

f 2 ( y ) = ^2 q 1/M ~[[(l+q r ) where q = e 2 ^^ 1 . 

r=l 

For these cases of the discriminant (D = 3 mod 8), the Weber polynomial Wd(x) has degree 
three times larger than the degree of its corresponding Hilbert polynomial Ho{x). In [23J it is 
shown that the Weber polynomial has roots in the extension field F„3 . Thus, in order to use Weber 
polynomials in the CM method we must find at least one of their roots in the extension field F„3. 
The idea is that we replace Hilbert polynomials with Weber polynomials and then try to compute 
a root of the Hilbert polynomial from a root of its corresponding Weber polynomial. To compute 
the desired Hilbert root, we proceed in three stages. First, we construct the corresponding Weber 
polynomial. Second, we compute its roots in F p 3. Finally, we transform the Weber roots to the 
desired Hilbert roots in F p using a modular equation &w( x , j) = 0. In particular, if x is a root of 
Weber polynomial and j is a root of the corresponding Hilbert polynomial, then 

d> w (x, J ) = (2 12 x- 24 -16) 3 -2 12 x- 24 J (5) 
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&i(x,j) 


3 


(x + 27)(x + 3) 3 - jx 


5 


(x 2 + lOx + 5) 3 — jx 


7 


(x 2 + 13x + 49) (x 2 + 5x + l) 3 - jx 


13 


(x 2 + 5x + 13)(x 4 + 7x :i + 20x 2 + 19x + l) :i -jx 



Table 1: Modular functions for different values of I. 
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$w(x,j) 
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16) 3 - 2 4 aT 8 j (6) 

we have to find an irreducible factor 



if D = (mod 3). To compute a root of Wd(x) in F p 
(modulo p) of degree 3 of the polynomial. This can be achieved using Algorithm 3.4.6 from [9]. 
The irreducible factor has 3 roots in F„3 from which it suffices to choose one, in order to accomplish 
the third stage. Details on the use of Weber polynomials in the construction of prime order elliptic 
curves can be found in 



3.3 M Dy i(x) Polynomials 

Even though Weber polynomials have much smaller coefficients than Hilbert polynomials and can 
be computed very efficiently, the fact that their degree for D = 3 mod 8 is three times larger 
than the degree of the corresponding Hilbert polynomials can be a potential problem, because it 
involves computations in extension fields. Moreover, the computation of a cubic factor modulo 
p in a polynomial with degree 3/i is more time consuming than the computation of a single root 
modulo p of a polynomial with degree h. 

To alleviate these problems, the use of a relatively new class of polynomials was proposed 
referred as the Md,i(x) polynomials. These polynomials have degree h like Hilbert polynomials and 
thus they have roots modulo p. They are constructed from a family of 77-products: mi(z) = *J Z \ 
|32j for an integer I € {3,5,7, 13}. The polynomials are obtained from this family by evaluating 
their value at a suitably chosen system of quadratic forms. Once a polynomial is computed, we 
can use a modular equation $i(x,j) = (see Tabled]), in order to compute a root j modulo p of 
the Hilbert polynomial from a root x modulo p of the Mp i(x) polynomial. 



3.4 M DpitP2 (x) Polynomials 

In authors of |14j proposed the use of another class of polynomials. Like Mp i{x) polynomials, 



v(z/pi)v{z/p2) 



We 



these polynomials are constructed using a family of 77-products: m pijP2 (z) — , ,, )) v ( z ) • 
will refer to the minimal polynomials of these products as Md iP1jP2 (x) where D is the discriminant 
used for their construction. The only restriction posed on the discriminant is that ( — I 7^—1 and 

I — J 7^ —1 if p\ ^ P2 or I — J 7^ —1 if p\ = pi = p, where (7) is the symbol of Kronecker. The 
polynomials are obtained from this family of 77-products by evaluating their value at a suitably 
chosen system of quadratic forms. In particular, the polynomial Mu tPltP2 (x) £ 7*[x] is defined as 



M D 



,Pl ,P2 



(x) = l[(> 



m. 



Pl,P2 



jq)) 



T Q 



where tq 



-Bi- 



-D 



,, x for all representatives S = {(Ai,Bi,Ci)} 1<i<h of the reduced primitive 

quadratic forms of a discriminant — D derived from a (pi£>2)-system 



Once a polynomial is computed, we can use the modular equations <3? 



vi-p-i 



x,J) 



0, in order to 



compute a root j modulo p of the Hilbert polynomial from a root x modulo p of the Mo, pi , P2 {x) 
polynomial. However, a disadvantage of Mo, Pl , P2 (x) polynomials is that the corresponding modular 
polynomials & PltP2 (x, j) have degree at least 2 in j (which makes the computations more "heavy") 
and their coefficients are quite large (which makes their use less efficient) Qj. The only modular 
polynomials that have degree 2 in j are $3,13(2;,:/) and $sj(x,j). In addition, Mo,?,,i?,{x) and 
Md,5j(z) polynomials are constructed more efficiently than other polynomials of the double eta 
family [12) . Thus, we only used these polynomials in our experiments. 



4 Ramanujan Polynomials 

In this section, we define a new class of polynomials which can be used in the CM method for 
the generation of prime order ECs. We elaborate on their construction and provide the necessary 
transformations of their roots to the roots of the corresponding Hilbert polynomials. 



4.1 Construction of Polynomials 

Srinivasa Ramanujan (1887-1920) defined on his third notebook, pages 392 and 393 in the pagina- 
tion of [371 VOi - 2] the values 



to 



^ r f(^)fW 



V) 



f 2 (q D ) 



(7) 



where /(- 



UTiU - Q d ) = Q~ 1/24 r](T), q = exp(27rir), q D = exp(-Tr^D), r G M (H is the 



upper half plane) and t](t) denotes the Dedekind eta-function. Without any further explanation 
on how he found them, Ramanujan gave the following table of polynomials To(x) based on to for 
five values of D: 



D 


T D {x) 


11 


x-l 


35 


x 2 + x — 1 


59 


x 3 + 2x - 1 


83 


x 3 + 2x 2 + 2x - 1 


107 


x 3 - 2x 2 + Ax - 1 



In [5] Bruce C. Berndt and Heng Huat Chan proved that these polynomials indeed have roots the 
Ramanujan values to- The method they used could not be applied for higher values of D and they 
asked for an efficient way of computing the polynomials To for every D. They also proved that 
if D £ N is squarefree so that D = 11 mod 24 then to is a real unit generating the Hilbert class 
field. This actually means that the polynomials To can be used in the CM method because their 
roots can be transformed to the roots of the corresponding Hilbert polynomials. In addition, the 
remarkably small coefficients of these polynomials are a clear indication that their use in the CM 
method can be especially favoured. 

In this paper we will elaborate on the construction of these polynomials, which we will call 
Ramanujan polynomials and we will provide an efficient algorithm for their computation for every 
discriminant D = 11 mod 24. The theory behind this construction is based on Shimura Reciprocity 
Law |171 I18|, For the interested reader all mathematical proofs can be found in [24] . However, in 
the rest of the section we will present a considerably simplified version of the method in [24J . 



For example, notice in [15] the size of the smallest modular polynomial $5,7(2;, j) 



The Ramanujan polynomial Td{x) G Z[x] for D = 11 mod 24 is denned as 



-34 



.-, : — for all primitive, reduced quadratic forms [a,(3,j] of —D. 
Every value £(r) that corresponds to a specific form [a, (3, 7] is defined by 



for values of r satisfying r 



i(r) = (C 7 6 2 fc -C 7 3 2° fc )E a ^(T) 

i=0 

where £72 = e 2m ' 72 and the functions i?j with i £ {0,1,2,3,4,5} are modular functions of level 
72 and are defined by: Mr) = " (3 %g /8) , fli(r) = ^>ffiffi V3) , « 2 (r) = r?(3r) ^ ( / T 3+2/3) , 
i?3(r) = T?(T/3) ^ 3+2/3) , i? 4 (r) = ^-/3)^/3+i/3) and ^ (T) = ^/yi/3) . The value * 
is equal to 9det(L2) — 8det(L3) where det(L2) and det(L3) are the determinants of the following 
matrices L n for n = 2 or 3 respectively: 





is V 




iw 


(-0-1) 
2 

1 


-a V } 7 



if n\a 
L n = ( ! r _ ' ) if n I a and n J7 

if n I a and n | 7 

The values 02^ with i G {0, 1, 2, 3, 4, 5} are the elements of the third row of a 6 x 6 matrix A. Before 
describing the construction of A we need to define the following two matrices: 



Sn 



/o 



/■6k 
^72 









A3fe 
S72 








/-3k 
S72 















^72 



>-?,k 

^72 






o\ 






1 

■(ifr 
^72 



Si 



(I 














/-3k ( s30k 
^72 V ^72 






+c 



(>A-\ 

72 J 









/■30k:/-6 

^72 +^7 

^72 





Using So and Si we can compute four new matrices T2 




1 

/-3k/ /-30k 1 /-&k\ 
S72 V '=72 "rS.72 / 








<So; ^3 






s3k 

^72 



^72 ' ^72 










o\ 







V 



i-8 



1-1 



-10, 



1-1, 



Q — O Q Q — 1 Q Q — 1U Q Q — 1 Q Q~ 

^0 1 *^2 — ^0 1 1 1 



-18 



10 



and S3 = S S\SqSiS S\Sq G . Now the matrix A is equal to A2A3B where B is equal to 

\ 



B 



and 



A n 



(I 








(I 










^72 












A2fc-1 

'72 








a2/c-2 
<=72 









/■k-2 

5 72 













r 2k- 

S72 











=72 











/•fc-1 
S72 







>2fc-l 

^72 









=72 



if fc = 1 mod 3 



a3k— 3 
^72 / 










/-3k- 
^72 



if A: = 2 mod 3 



a 7-1 i 

kJn- 1 - rt 



mod N(n) 



'n^-n 



.(iC^ 1 )-!) mod AT(n) 
-'n-'-n 



(1-fifi) mod JV(n) 



<3 T 1 T 1 

>Jn ± n' J n ± n 



(l-£±i-a) mod iV(n) (_i +a+ £ +7 ) mod JV(n) 

-in •Jn-'-n'J n-'-n 



if n f a 

if n I a and n { 7 

if n I a and n | 7 



for n = 2, 3 and iV(2) = 8,7V (3) = 9. 

It is easy to see that every row in the matrix A has only one non zero element. Thus, only one 
value a<i% is not equal to zero and the computation of every value t(r) requires the evaluation of 
only one value Ri(r). 



4.2 Transformation of the Roots 

In order to use Ramanujan polyomials in the CM method, we must prove that they have roots 
modulo p and then find a transformation of their roots modulo p to the roots modulo p of the 
corresponding Hilbert polynomials. The following theorem proves that a Ramanujan polynomial 
with degree h has exactly h roots modulo p under certain conditions (which are satisfied in the 
CM method): 

Theorem 1 A Ramanujan polynomial Xb(x) with degree h has exactly h roots modulo p if and 
only if the equation 4p = u 2 + Dv 2 has integer solutions and p does not divide the discriminant 
A (To) of the polynomial. 



Proof Let Hk be the Hilbert class field of the imaginary quadratic field K = Q(v— D), and let 
Oh k and Ok be the rings of algebraic integers of Hk and K respectively. Let p be a prime such 
that Ap = u 2 + Dv 2 has integer solutions. Then, according to |11^ Th. 5.26] p splits completely 
in Hk- Proposition 5.29 in [11] implies that (since to generates Hk) Td(x) has a root modulo p 



Or 



VOh k I * P 



-/F F 



IS 



if and only if p splits in Hk and does not divide its discriminant A (To). But since 

Galois, Tjj(x) has not only one root modulo p, but h distinct roots modulo p. 

We will present now a method to retrieve a root modulo p of the Hilbert polynomial Hd(x) 
from a root modulo p of the corresponding Ramanujan polynomial Td(x). Our aim is to find a 
transformation that maps a real root of the Ramanujan polynomial to a real root of the corre- 
sponding Hilbert polynomial. Then, we can reduce this transformation modulo a prime ideal of 
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the ring of integers of the Hilbert class field. In this way we see that the same transformation 
will transfer a root of the Ramanujan polynomial modulo p to a root of the Hilbert polynomial 
modulo p. We know that if £q = (1,1, — jj— ) is a quadratic form (known as the principal form) 

that corresponds to the root T£ = — | + i ^~ 2 then j(re ) is a real root of the Hilbert polynomial 
Hd(x). The following lemma shows that trj is a real root of the Ramanujan polynomial Try{x). 

Lemma 1 The value try is a real root of the Ramanujan polynomial Trj(x) and is equal to: 

t D = V3R 2 (je ). 

Proof. Set 

q D = exp(— 7T-/D) = -exp(27rirf ), 

where T£ = — \ + i 2 . Then 

/(<?£>) = /(-exp(27rrr| )) = exp(27r^ )~ 1/24 r?(r^ ), 

/(^) = exp(27rir £o )- 3 / 24 r ? (3r, ), 

/(^ /3 )=exp(2^ )-344r / (^). 

Taking Eq. ([7]) and all the above equations into consideration we can easily derive that trj = 

If we could prove that t(r^ ) = \/ r 3R 2 (r£ ) then it will immediately follow that tr> = t(rg ) and 
thus it is a root of the Ramanujan polynomial. We have that 

t(T i0 ) = {$ 2 -$ Q 2 )R 2 {n ), 

since k = 1 and the matrix A = A 2 A%B is by computation equal to the identity matrix for every 
discriminant D. Notice that the principal form equals [a, j3, 7] = [1, 1, —3—], therefore 2, 3 \ a = 1 



A mod i\r(n) rr _ aa m ( A (£=!)-!) mod AT(n) 



1 

and L 2 = L 3 = Id 2 , B = Id 6 and A n = S n T£ ""~" K "' S n T- a S n T^ y a_) ~^ — "^ for n = 2 ,3. 
Finally, observe that \/3 = C72 ~~ C72 • Indeed, the value z\/3 can be expressed as a difference of two 
primitive 3-roots of unity (3, £f since i = C72 an d C3 = C?2- Thus t(r^ ) = v / 3-R2(t"£ ) = to. ■ 



Lemma 2 Suppose Rt is a real root of a Ramanujan polynomial Trj(x). Then, the real number 
Rh obtained from the equation 

R H = (Ug, - 27R~ & - 6) 3 (8) 

is a real root of the corresponding Hilbert polynomial Hrj (x) . 

Proof. Set Rt = £_d and Rh = J(t~i ). Using Equations (4.4) and (4.5) from [5] it can be easily 
derived that h{e 2niTe o/ 3 ) - 27/i(e 27ri7 V 3 )- 1 = l2 {n ) + 6 where ^{n ) = j{n Q ) and 

Thus, j(ri ) = (/i(e 27rir V 3 ) - 27/i(e 27ri7 V 3 )- 1 - 6) 3 which means that we now have to find 
the relation between t D and h(e 2mTe o^). Substituting q with e 2mT e / 3 in Eq. © we have that 

h{e 2 ^J 3 ) = e2 ^ /3 /6( £ 2 2 l7v3^° 6 ) ( _ e 3(2^ ) ) - Noticing that q D = exp(-vr V A D) = -exp(2vrir £o ) 

and from Eq. ([7]) we derive that h(e mTl o' ) = —27tp which completes the proof of the lemma. I 
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The final step is to reduce Eq. ([8]) modulo p. The elements Rh,Rt are not in Z but are 
elements of the ring of algebraic integers Oh k of the Hilbert class field and can be reduced modulo 
an ideal P extending the ideal pL of Z. But the ideal pZ splits completely, therefore the Galois 
extension %?% is the trivial one, and Oh k /P is the field ¥ p . The argument above proves that 
Eq. (jHJ) holds not only for the real roots of the polynomials but also for their roots modulo p. 
The interested reader is referred to [111 l46l [47] for definitions on algebraic number theory not 
given here. Using Eq. (|SJ), we can easily derive the modular polynomial <&t(%,J) for Ramanujan 
polynomials. The polynomial will be equal to: 

$ T (x,j) = (x 12 - 6x 6 - 27) 3 -jx 18 . (10) 

5 Precision Requirements for the Construction of the Polynomi- 
als 

In this section we focus on the precision required for the construction of all previously mentioned 
polynomials. In order to compare them, we introduce the notion of logarithmic height for estimating 
the size of a polynomial. For a polynomial g{x) = Y17=o a i x% ^ ^[x] its logarithmic height is defined 
as 

H(g) = max log 2 |oj|. 

i=0,...,n 

The value H (g) is actually the bit-precision needed for performing all floating point computations 
in order to obtain the coefficients of the polynomial g(x). 

Starting from Hilbert polynomials, an estimation of their precision requirements in bits (and 
of their logarithmic height also) was given in [26J : 



„ , „. In 10., , . ■k\ / L> sr^ 1 

H-Prec(Z^-—(V4 + 5) + ^-£- 



In 2 v ' ' In 2 ^ a 

T 

with the sum running over the same values of r as the product in Eq. ((4|). A slightly different 
bound was given in [31] which is remarkably accurate: 

H-Precl(D) ra 33 + ^— V -. 

y ; In 2 ^ a 

T 

It will be shown in the rest of the section that based on this estimation, we can derive estimations 
of the precision requirements of every class polynomial. 

Let / be a modular function, such that /(r) for some r E Q(y/—D) generates the Hilbert class 



field of Q(y/—D). The element /(r) is an algebraic integer, and let us denote by Pt its minimal 
polynomial. For every modular function there is a polynomial <!> (called modular polynomial) such 
that $(/, j) = where j is the modular function used in the construction of Hilbert polynomials. 
This polynomial equation is used (as we show in the previous section) in order to transform the 
roots of the minimal polynomial of a class invariant to the roots of the Hilbert polynomial. We 
have seen that in the cases of Weber, Mdj(x) and Ramanujan polynomials the degree in j of the 
modular polynomial is equal to 1 while for M£) tPltP2 (x) polynomials is at least 2. Asymptotically, 
one can estimate the ratio of the logarithmic height h(J(r)) of the algebraic integer j(r) to the 
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logarithmic height /i(/(r)) of the algebraic integer /(t)g • Namely, 

lim Hm = ^fHfj) = 

hU(r^ooh(f(r)) de gj Hf,j) n/j ' Uij 

where the limit is taken over all CM-points SL2(Z)r € EI [20J. Concerning Weber polynomials, we 
can easily compute the values of r(f) from Eq. ([5]) and Eq. ([6]). Thus, when D ^ (mod 3), r(/) 
will be equal to 24 and when D = (mod 3), r(f) will be equal to 8. 

A question that immediately arises is how Eq. (jlip can be used for the estimation of the 
logarithmic height of the minimal polynomial Pf. The following Lemma gives an answer to this 
question. 

Lemma 3 Suppose that H(Pf) is the logarithmic height of the minimal polynomial of the algebraic 
number /(r) and H(Pj) is the logarithmic height of the corresponding Hilbert polynomial. If /(r) 
generates the Hilbert class field then 

ff(p-) de gj $(/,j) 

4.iffl-WJ- ,( "' (12) 

If /(r) does noi generate the Hilbert class field but an algebraic extension of it with extension degree 
m then 

l im H W = de g/ $(/,j) = r(/) 
htf(™-»oo fl-(Pf) degj$(/,j) m ' 

Proof. The proof is based on the following bounds [431 Th. 5.9]: 

-A; + fe/i(a) < #(P a ) < fc - 1 + A;/i(a) 

where /i(a) is the logarithmic height of the algebraic integer a and k is the degree of its minimal 
polynomial P a . If /(r) generates the Hilbert class field then the degree of its minimal polynomial 
is equal to the degree of the corresponding Hilbert polynomial. Suppose that their degree is equal 
to k. Then, we have that 

-k + kh(f(r)) < H(P f ) <k-l + kh{f{ T )) (13) 

and 

-k + kh{j(r)) < H(Pj) <k-l + kh(j(r)). 

Thus, 

-k + kh{j(r)) < H{P 3 ) < k-l + kh(j(r)) 



k - 1 + kh(f(r)) ~ H(P f ) ~ -k + kh(f{r)) 
Taking the limit /i(j(r)) — > oo we obtain that 



H(P f ) 



r(f). (14) 



In the case that /(r) generates an algebraic extension of the Hilbert class field, we similarly have 
that 



H{P 3 ) | r{f) 
H{P f ) m 



(15) 



2 Let K be a number field, a £ K be an algebraic number and Mk be the set of absolute values on 
K. Following the notation of [451 VIII], the absolute logarithmic height of an element a 6 A* is defined as 

h ( a ) = T^QI log 2 {Uv£M K max{|a|„, 1}) . 
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class polynomial 


precision estimation 


M Dt3 (x) 


1 ttVD v^ 1 
4 In 2 2-^it a 


M D , 5 (x) 


1 ■kVT) \p 1 
6 In 2 Ljt a 


M D;7 (x) 


1 TT-/D v^ 1 
8 In 2 2-it a 


m d M x ) 


1 ■K\fT5 y^ l 

14 In 2 L^t a 


M DA7 (x) 


1 -k^/D Y^ 1 
24 In 2 2-<T a 


M D ,3,13(x) 


1 n\/D Y^ 1 
28 In 2 ^r a 



Table 2: Precision estimations for Md,i(x) and Md iP1]P2 (x) polynomials. 



where m is the degree of the extension. This is easily derived from the fact that the degree of the 
minimal polynomial Pf is m times larger than the degree of the corresponding Hilbert polynomial 
and Eq. (fT3|) becomes 



-m 



k + mkh{f{r)) < H(P f ) <mk-l + mkh(f(r)). 



Thus, 



-k + kh{j{T)) 



< H(Pj) < k-l + kh(j(r)) 



mk-l + mkh{f{T)) ~ H(P f ) ~ -mk + mkh(f "(r))' 



Eq. ()14[) and Eq. (|15p relate the precision required for the construction of Hilbert polynomi- 
als with the precision needed for other classes of polynomials. Estimating the height H(Pj) of 

Hilbert polynomials with the quantity ^^ ^ T ~, we can derive the precision requirements for the 
construction of every class polynomial by the equation: 



m iryD 



^nr' 



r(f) In 2 ^ a 

where m is either 1 or larger. 

Obviously, we want to find class invariants /(r) so that the ratio r(/) is as big as possible. 
However, there is a limit on the ratio r(/). It is known [8] that r(f) < 800/7 and if the Selberg 
eigenvalue conjecture in [39J holds then r(f) < 96. Concerning Weber polynomials, when D = 3 
(mod 8) their degree is three times larger than the degree of the corresponding Hilbert polynomials. 
Therefore, for this case of D, the estimation of the precision requirements will be approximately 
-777 ^75 ^2 T ■ Concluding, an estimation of the precision requirements of Weber polynomials will 

be equal to ^^f £ r ± for D # (mod 3) and ±2gf £ T ± for D = (mod 3). 

Based again on Eq. (fT2|) , it can be concluded that the precision required for the construction 

of the Mj} t i(x) polynomials is approximately (l *., 2! r ^p St h an< ^ ^ or ^D,p 1 ,p 2 { x ) polynomials is 



(pi-l)(p 2 - 



TiT TnlT S r a where the sum runs over the same values of r as the product 



approximately 12(pi+1)(p2+1) - 

in Eq. © [121 . Thus, it is equal to ^^f £ T ± for M A3 ,i 3 (z) polynomials and to ±S$ £ r h 
for Md } 5j(x) polynomials. The above precision estimations are summarized in Table [2j Finally, 
in order to find an estimation for the precision requirements of Ramanujan polynomials, we use 
Eq. (|12p and Eq. (|10p . We easily conclude that the precision required for the construction of the 

Ramanujan polynomials is approximately gg ^j^ ^2 T h- 
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1= 13 

double eta 5,7 
double eta 3,13 - 
ramanujan I 




35000 4(X)00 450(H) 50000 55000 600(H) 65000 



le+08 2e+(>8 3e+(>8 4e+08 5e+08 6e+08 7e+08 8e+08 9e+08 



Figure 1: Bit precision for the construction of all polynomials. 



6 Implementation and Experimental Results 



In this section, we discuss some issues regarding the construction of the Weber, Md,i(x), Md <p1 , P2 (x) 
and Ramanujan polynomials. All implementations and experiments were made in Pari 2.3.1 |35j 
compiled with GMP-4.2.1 kernel pjj] and have been carried out on a double 2GHz Xeon machine 
running Linux 2.6.9-22 and equipped with 2Gb of main memory. 

In Figure Q] we report on the precision needed for the construction of all polynomials for var- 
ious values of D. In the left figure, we examine the precision requirements of Ramanujan, Weber 
{D ^ (mod 3)) and Md,i(x) polynomials for all values of I. The values of D range from 30083 
to 64163 while the degree h ranges from 32 to 48. We noticed, as the theory dictates, that the 
precision required for the construction of Ramanujan polynomials is much less than the preci- 
sion required for the construction of Weber and Md,i(x) polynomials for all values of D that 
we examined. Weber polynomials require less precision than Md,i(x) polynomials, while among 
them Md^(x) polynomials require the least precision. Examining larger values of the discrimi- 
nant D and adding Md,3,i3(x) and Md, 5,7(2:) polynomials in our comparison, we show (Figured] 
(right)) that Ramanujan polynomials are constructed more efficiently than all other polynomials. 
Md, 3, 13(2?) polynomials require less precision than Md,5j(x) polynomials which are constructed 
more efficiently than Weber polynomials. In this figure, we examined all values of D from 21840299 
to 873600299 using a step of 21840000. The degree h of the constructed polynomials (for these 
values of D) ranges from 2880 to 17472. Summarising the results of our experiments, we see that 
Ramanujan polynomials outweight Md,i3(x), Weber, Md,5j(x) and Md,3,i3(x) polynomials as 
they require on average 66%, 42%, 32% and 22% less precision respectively. Table [3] shows this 
difference by presenting the exact bit precision needed for the construction of the polynomials for 
several values of D. 



D 


h 


M A i 3 (x) 


Weber 


M D , 5J (x) 


Md j3) i 3 (x) 


Ramanujan 


109200299 


5016 


31270 


18657 


15546 


13534 


10624 


240240299 


6944 


45402 


26837 


22757 


19834 


15442 


349440299 


9772 


61933 


37004 


30768 


26804 


20998 


458640299 


12660 


77894 


46387 


38447 


33633 


26245 


698880299 


13950 


90734 


54030 


45311 


39508 


30813 


851760299 


15904 


101214 


60333 


50322 


43984 


34243 



Table 3: Precision requirements (in bits) for the computation of Md^^), Weber, Md,5j(x), 
Md 3 13 (x) and Ramanujan polynomials. 
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D 


h 


M D , 13 (x) 


Weber 


M D ,5j(x) 


M D ,3,n(x) 


Ramanujan 


109200299 


5016 


134 


245 


68 


59 


47 


240240299 


6944 


271 


492 


138 


119 


94 


349440299 


9772 


518 


950 


262 


227 


179 


458640299 


12660 


842 


1539 


423 


366 


289 


698880299 


13950 


1087 


1986 


551 


478 


377 


851760299 


15904 


1379 


2524 


697 


604 


475 



Table 4: Memory requirements (in MB) for the storage of Md j i3(x), Weber, Md^^(x), Md^,xz{x) 
and Ramanujan polynomials. 

Comparing the number of bits for the storage of all classes of polynomials, it is clear that 
the memory required for the storage of the Ramanujan polynomials is smaller than the memory 
needed for the other three classes of polynomials. The percentages are the same as in the precision 
requirements of the polynomials with one exception: Weber polynomials. Notice that the degree 
of Weber polynomials is 2>h and thus the memory used for the storage of Ramanujan polynomials 
is not only 42% (like the precision requirements) less than the corresponding memory needed 
for the Weber polynomials but approximately 81% less! This means that regarding the storage 
requirements of all polynomials, Weber polynomials are by far the worst choice. In Table H] we 
present the memory in MB needed for the storage of all classes of polynomials for few values of 
D. The difference in the efficiency of the construction of all classes of polynomials can be easily 
understood noticing the polynomials for D = 299 and h = 8. Even though this is a small value for 
the discriminant, the difference in the size of the coefficients of the polynomials is remarkable. In 
particular, 25 bits are required for the storage of the coefficients of the T2gg(a;) polynomial, 188 bits 
for the storage of W29q(x) polynomial, 112 bits for M299,i3(x) polynomial, 31 bits for ^299,3,13(0;) 
and 32 bits for ^299,5,7(2;). 

W 2 9 9 (x) = x 24 -8x 23 -12x 22 -28x 21 -56x 20 -40x 19 4T44x 18 4T44x 17 4-16x 16 -112x 15 -224x 14 -416x 13 
-32x 12 +256x n +704x 10 +832x 9 +640x 8 -384x 7 -1792x 6 -1280x 5 -256x 4 +1280x 3 +1536x 2 +512x+256 



M 2 gg,i 3 (x) = x 8 + 78x 7 + 793x 6 + 5070x 5 + 20956x 4 + 65910x 3 + 134017x 2 + 171366x + 28561 



M- 



299,5,7 



(X) 



X 



8x 7 + 31x 6 



22x 5 + 28x 4 



2x 3 - 19x 2 + 8x - 1 



M29g,3,i3(a0 



6x 7 + 16x 6 + 12x 5 - 23x 4 + 12x 3 + 16x 2 - 6x + 1 



T^g(x) = x 8 + x' 



12x 5 + 16x 4 



12x 3 + 15x 2 



13x + l 



The time efficiency of the construction of the polynomials is clearly proportionate to the cor- 
responding precision requirements. However, notice that computing the Weber and Mjj i(x) poly- 
nomials amounts to 2/t evaluations of the eta function 77 while for Ramanujan and Md, Pi , P2 (x) 
polynomials we need to evaluate the function 3h and 4h times respectively. This could be a dis- 
advantage for Ramanujan and Mr>,pi p 2 (%) polynomials, but this is not the case. In particular, 
it was shown in [12] that is sufficient for any polynomial to precompute the values of 77 only at 
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the h reduced quadratic forms. Finally, we note that the time required for the transformation 
of a root of a Weber, Ramanujan or Mdj(x) polynomial to a root of the corresponding Hilbert 
polynomial is approximately the same. The situation gets worse when Md p1P2 (x) polynomials 
are used, because the time for the transformation and the storage of the modular polynomials are 
larger. 

In conclusion, we showed that Ramanujan polynomials clearly outweight in every aspect all 
previously used class polynomials for all values of the discriminant D = 3 mod 8 and therefore 
their use is particularly favored in the CM method for the generation of prime order ECs. 
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